GOVERNMENT ICT STANDARDS

Transcription

1 GOVERNMENT ICT STANDARDS Cloud Computing Standard First Edition 2016 ICTA 2016 All rights reserved

2

3 CONTENTS ICTA STANDARDS DESCRIPTION 4 DOCUMENT CONTROL 6 FOREWORD 7 INTRODUCTION 8 SCOPE 9 APPLICATION 9 NORMATIVE REFERENCES 9 DEFINITIONS 10 Cloud computing 10 Interoperability 10 Privacy 10 Software as a Service (SaaS) 10 Platform as a Service (PaaS) 10 Infrastructure as a Service (IaaS) 10 Private Cloud 10 Community Cloud 10 Public Cloud 10 Hybrid Cloud 10 ABBREVIATIONS 11 SUB DOMAINS 12 REQUIREMENTS 12 ANNEXES 13 Annex A.1 Cloud Service Selection (PaaS, SaaS, IaaS) 13 Annex 2:Cloud deployment model selection (public, private, hybrid, community cloud) 14 Annex 3:Service level Agreement 15 APPENDICES 18 APPENDIX I: Risk assessment checklist 18 Appendix II Checklist for cloud service selection 20 APPENDIX III Checklist for selecting cloud deployment model 21 APPENDIX III Checklist for SLA 22 Appendix IV: Related Documents 26 3

4 ICTA STANDARDS DESCRIPTION S/No Thematic Area Standards 1 Infrastructure Network Standard Data Center Standard Cloud Computing Standard Brief Description Provides compliant requirements for design, installations and management of all categories of IT Networks to be deployed in government. Provides compliant requirements for design, installations and management of government data centers Provides compliant requirements for design, installations and management of cloud computing infrastructures for government 2 Systems & Applications End-User Equipment Standards ICTA-6.001:2016 Systems & Applications Standard Provides the minimum specifications for all computing devices being deployed in government Provides compliant requirements for design, installations and management of all government Software and applications Systems. 3 IT Security ICTA-3.001:2016 Information Security Standard Provides compliant requirements for design, installations and management of Information Technology Security in government. 4 Electronic records management 5 IT Governance 6 ICT Human Capacity ICTA-4.001: 2016 Electronic records and Data Management Standard ICTA : 2016 IT Governance Standard ICTA.7.001:2016 ICT Human Capital and Work force Development Standard Provides compliant requirements for management of government electronic records and data Provides compliant requirements for IT Governance in government. This includes compliance requirements for government IT service providers and Professional Staff. Provides compliant requirements for development of Human Capital capacity for deployment and support for government ICT infrastructure and services. 4

5 REVISION OF ICT STANDARDS In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed. Suggestions for improvements to published standards, addressed to the Chief Executive Officer, ICT Authority, are welcome. ICT Authority 2016 Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section 26 of this Act, no standard produced by ICTA may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from the Chief Executive Officer. DOCUMENT CONTROL 5

6 Document Name: Prepared by: Edition: Approved by: Cloud Computing Standard ICTA Cloud Computing Standard Technical Committee First Edition Board of Directors Date Approved: 11 th August 2016 Effective Date: 1 st October 2016 Next Review Date: After 3 years 6

7 FOREWORD The ICT Authority has express mandate to, among others, set and enforce ICT standards and guidelines across all aspects of information and communication technology including systems, infrastructure, processes, human resources and technology for the public service. The overall purpose of this specific mandate is to ensure coherence and unified approach to acquisition, deployment, management and operation of ICTs across the public service, including state agencies, in order to promote service integration, adaptability and cost savings through economies of scales in ICT investments. In pursuit of achievement of this mandate, the Authority established a Standards Committee to identify the critical standards domain areas as well as oversee the standards development process. A total of Nine Standards falling under six different domain areas were identified by the committee to be relevant for government ICT Standards. The development of all the identified standards was done through a process which took into consideration international requirements, government requirements, stakeholder participation as well as industry/sector best practices. In order to conform to the format of other existing national standards, the committee adopted the Kenya Bureau of Standards (KEBS) format and procedure for standards development. In addition, through Memoranda of Understanding, KEBS has made invaluable contribution to the development of ICT Authority standards. The ICTA Cloud Computing Standard, which falls under the overall Government Enterprise Architecture (GEA), has therefore been prepared in accordance with KEBS standards development guidelines. The Authority has the oversight role and responsibility for management and enforcement of this standard. The review and approval of the standard is done by the ICTA Board upon recommendation of Standard Review Board. The Authority shall be carrying out quarterly audits in all the Ministries, Counties, and Agencies (MCA) to determine their compliance to this Standard. The Authority will issue a certificate of compliance to agency upon completion of the audit assessment. For non-compliant agencies, a report detailing the extent of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board who will advise on action to take. All government agencies are required to ensure full compliance to this standard for effective and efficient service delivery to the citizen. Kipronoh Ronoh P. Director, Programmes and Standards 7

8 INTRODUCTION Cloud computing is a concept that refers to services, applications, and data storage delivered online through powerful file servers interconnected through the internet infrastructure. It allows consumers and businesses to use applications without installation and access their data and information at any computer with internet access. This technology allows for much more efficient computing by centralizing data storage, processing and bandwidth. NIST specify five characteristics of cloud computing: a. On-demand self-service involves customers using a web site or similar control panel interface to provision computing resources such as additional computers, network bandwidth or user accounts, without requiring human interaction between customers and the vendor. b. Broad network access enables customers to access computing resources over networks such as the Internet from a broad range of computing devices such as laptops and smartphones. c. Resource pooling involves vendors using shared computing resources to provide cloud services to multiple customers. Virtualization and multi-tenancy mechanisms are typically used to both segregate and protect each customer and their data from other customers, and to make it appear to customers that they are the only user of a shared computer or software application. d. Rapid elasticity enables the fast and automatic increase and decrease to the amount of available computer processing, storage and network bandwidth as required by customer demand. e. Pay-per-use measured service involves customers only paying for the computing resources that they actually use, and being able to monitor their usage. This is analogous to household use of utilities such as electricity. Cloud computing is a new concept in the market and its adoption has been slow but steady due to slow pace in standardisation, security concerns, continous evolution and compliance concerns. Despite this setbacks, cloud computing offers a number of benefits such as: v Cloud computing solutions are scalable: agencies can purchase as much or as little resource as they need at any particular time. They pay for what they use. v Agencies do not have to make large capital outlays on computing hardware, or pay for the upkeep of that hardware. v Cloud computing provides economies of scale through all-of-government volume discounts. This is particularly beneficial for smaller ICT users. v Agencies can easily access the latest versions of common software, which deliver improved and robust functionality, and eliminating significant costs associated with version upgrades. v If agencies are able to access the same programmes, and up-to-date versions of those programmes, this will improve resiliency and reduce productivity losses caused when applications are incompatible across agencies This ICTA standard outlines the various considerations for Ministries, counties and agencies in the selection of cloud computing services and models such as IaaS, SaaS, Paas and public cloud, private cloud, community cloud and hybrid cloud. 8

9 SCOPE This standard shall provide guidelines on deployment and selection of cloud based computing products and services. This standard guides the MCAs as consumers of cloud services from vendors. APPLICATION This standard shall be applicable to the following: v Central Government of Kenya v County Governments v Constitutional Commisions v State Corporations NORMATIVE REFERENCES The following standards contain provisions which, through reference in this text, constitute provisions of this standard. All standards are subject to revision and, since any reference to a standard is deemed to be a reference to the latest edition of that standard, parties to agreements based on this standard are encouraged to take steps to ensure the use of the most recent editions of the standards indicated below. Information on currently valid national and international standards can be obtained from Kenya Bureau of Standards. v v v v v v v v v IEEE P2301 & 2302 DRAFTS ITU FG technical report on cloud NIST special publication on cloud Virtualization Framework (OVF), Virtual Hard Disk (VHD). Cloud Data Management Interface (CDMI) SOAP and REST Amazon Web Services Identity Access Management (AWS IAM), OAuth, OpenID, WS- Security. OASIS 9

10 DEFINITIONS For the purposes of this ICTA Standard the following definitions, abbreviations and symbols apply: Cloud computing Cloud computing is a concept that refers to services, applications, and data storage delivered online through powerful file servers interconnected through the internet infrastructure. Interoperability Interoperability typically refers to the ability to easily move workloads and data from one cloud provider to another or between private and public clouds Privacy Information privacy is the assured, proper, and consistent collection, processing, communication, use and disposition of disposition of personal information (PI) and personally-identifiable information (PII) throughout its life cycle. (Source: adapted from OASIS) Software as a Service (SaaS) The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based ). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Popular SaaS offerings include and collaboration and customer relations management (Source: NIST CC Definition) Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. (Source: NIST CC Definition) Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). (Source: NIST CC Definition) Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. (Source: NIST CC Definition) Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. (Source: NIST CC Definition) Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. (Source: NIST CC Definition). Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). (Source: NIST CC Definition 10

11 ABBREVIATIONS IaaS-Infrastructure as a service PaaS- Platform as a service SaaS- Software as a service NIST-National institute of science and technology SLA-Service level agreement PI Personal information PII- personal identifiable information MCA- Ministry, county, agency TCO- Total cost of ownership GoK- Government of kenya LAN-Local Area Network 11

12 SUB DOMAINS The following are the sub domains covered: Cloud service selection Cloud deployment model selection Service level agreements REQUIREMENTS This section provides cloud standards needed to guide MCAs in selecting a cloud service and the model of deployment. All MCAs shall develop operational manuals to institutionalize this standard Sub domain Description Requirements Cloud Service selection(paas, SaaS, IaaS) MCAs shall select a cloud service based on an obective business case Annex A.1 Cloud deployment model selection (public, private, hybrid, community cloud) MCAs shall select a cloud deployment model based on an obective business case Annex A.2 Service level Agreements MCAs shall have an SLA covering cost, Liability, Information security, Inter operability and portability, availability, performance, Sustainability, Privacy, Vendor lockin, integration Annex A.3 12

13 ANNEXES Annex A.1 Cloud Service Selection (PaaS, SaaS, IaaS) Subject 1.SaaS Business case 2. PaaS Business case Requirements a. MCAs shall not pursue a SaaS solution for an application if it requires specialized technical knowledge to operate and support, or requires customization that a SaaS vendor cannot offer, b. MCAs shall determine what reporting services the provider offers, and whether they are compatible with the business reporting requirements. Because SaaS involves giving up direct control of some of MCA data, accurate and useful reporting is especially important. c. MCAs shall consider the type and amount of data that will be transmitted to and from the application on a regular basis. Internet bandwidth pales in comparison to the gigabit Ethernet links commonly found in enterprise LANs, and data transmissions that take a few minutes to transfer between servers in the server room might take hours to transmit to and from a SaaS application located across the country. Because of this, MCAs shall consider a solution that takes network latency into consideration. An appliance-based solution, for example, might cache or batch. d. MCAs shall ensure the cloud service is accessible to persons with disability? e. Potential Saas include: v v office productivity suite v collaboration including IP telephony v customer relationship management a. MCAs shall consider platform as a service - if they are carrying out collaborative software development project that involve multiple agencies - If they are deploying applications that are to be shared by multiple users simultaneously b. When evaluating and choosing a PaaS provider, MCAs shall consider if the programming languages and server side technologies offered by the provider match their needs. c. MCAs shall ensure that providers meet the connectivity, storage and redundancy needs to ensure services availability. 13

14 3. IaaS Business case a. MCAs shall consider acquiring infrastructure as a service if they want a cloud based data center without requiring to install new equipment. b. MCAs shall ensure that IaaS providers meet the commonly used standards for access. These include: Xtensible Markup Language (XML), Representative State Transfer (REST), Simple Object Access Protocol (SOAP), and File Transfer Protocol (FTP) c. MCAs shall consider the burden to ICT staff for monitoring and managing applications in a cloud providers data centre in addition to those in the premises. This includes software patches, maintenace and upgrades. d. MCAs shall ensure that providers meet the connectivity, storage and redundancy needs to ensure services availability. e. MCAs shall take full advantage of pay-per-use pricing of the data center for IaaS. f. MCAs are discouraged from investment in private IaaS. Annex 2:Cloud deployment model selection (public, private, hybrid, community cloud) Subject 1.Public Cloud Business Case 2. Private Cloud Business Case 3. Community Cloud Business Case Requirements MCAs shall carry out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model. This model has a variety of inherent security risks that need to be considered. It also has maximum potential cost efficiencies due to economies of scale. MCAs shall carry out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model. This model has reduced potential cost efficiencies. However it has reduced potential security concerns. It also enables easier contract negotiations between the provider and consumers. MCAs shall consider this model if they have other MCAs with similar security requirements and in need of processing and storing data of similar requirements. This model attempts to obtain most of the security benefits of a private cloud, and most of the economic benefits of a public cloud. 14

15 4.Hybrid Cloud Business case MCAs shall establish a business case for this model. It Involves a combination of cloud models. An example is using commodity resources from a public cloud such as web servers to display nonsensitive data, which interacts with sensitive data stored or processed in a private cloud. Annex 3:Service level Agreement Subject General requirements Liability Information security Requirement a. The adoption of cloud services will require agencies to build new skills and capabilities into their workforce. In particular, agencies will require a high level of proficiency in procurement, contract negotiation and management, and supplier performance management to ensure value for money is realised. b. MCAs shall look to first adopt cloud services for those areas where the market has already achieved an acceptable level of maturity. Mature areas typically have begun to extend their focus from delivery pure functionality to additional attributes like security, availability, performance and interoperability. c. MCAs shall ensure SLAs cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/ novation, change of terms at the discretion of the provider. a. MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes b. MCAs shall retain control over any data or information that is placed in a cloud service and ensure it is adequately protected from loss c. MCAs shall carry out a risk assessment to determine the information security viability of migrating to a cloud. The checklist in Appendix 1 shall serve as a guide. d. MCAs shall ensure the provider is audited by a third party to determine their compliance with GoK information security standards. e. privacy of any data stored f. on a cloud computing service must be maintained in accordance with statutory/regulatory obligations g. The chosen solution should not require significant firewall rule changes. For example, port 80 and port 443 should be sufficient for the solution to function (these ports are usually open already). h. MCAs shall ensure data is permanently deleted from a provider s storage media when migrating i. MCAs shall be aware of Kenya legislative and regulatory requirements when storing personal data (e.g. the Kenya Information Privacy laws and the Public laws). j. MCAs shall ensure the location of the data is consistent with local legislation k. All stored and transmitted data must be encrypted l. Disaster Recovery expectations must be defined (e.g. worse case recovery commitment 15

16 Inter operability and portability a. The following requirements should be carefully considered when identifying a suitable solution: active directory integration single sign on b. MCAs shall ensure that the cloud provider supports open standards that guarantee:- - Workload migration where a workload that executes in one cloud provider can be uploaded in another cloud provider - Data migration: Data that resides in one cloud provider can be moved to another cloud provider - User authentication: User who has established an identity with a cloud provider can use the same identity with another cloud provider. - Workload management: Custom tools developed for cloud workload management can be used to manage multiple cloud resources from different vendors. c. MCAs shall ensure that the cloud deployment model supports common standards on: i. application interfaces; ii. portability interfaces; iii. management interfaces; iv. file formats; and operation conventions Availability MCAs shall ensure there is an SLA with the cloud provider for 99.99% during work days, 99.9% for nights/weekend Performance Service level agreements shall ensure maximum service response times Cost Sustainability Privacy MCAs shall consider the total cost of ownership (TCO) of a cloud service, compared to that of an equivalent on-premise service. For MCAs providing cloud services, the cost of deploying and maintaining cloud computing infrastructure is very huge and therefore there is need to be able to recover it back. MCAs shall select a chargeback model that adequately fits the consumers and Government needs i.e i. Pay - as -you- grow ii. Usage based pricing iii. Elasticity model MCAs shall ensure the cloud providers adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them. 16

17 Vendor lockin Integration a. MCAs shall ensure that the cloud solution supports quick entry quick exit low cost solutions. b. MCAs shall have an exit strategy in case they intend to change providers c. MCAs shall not pursue a solution if: A solution providers want months of preparation to assess agency needs or conduct training the solution involves an extended lock-in period for the agency the solution involves substantial financial investment The cost of the solution should be such that if the solution fails to satisfy agency requirements, it is considered low risk to terminate the service or try another service. d. In addition, the costs should be simple and straight forward. A convoluted pricing model is uncommon for cloud services and should be carefully considered during evaluation. MCAs shall ensure that migrating to cloud will meet any functional and dataintegration requirements the organization has in place. 17

18 APPENDICES APPENDIX I: Risk assessment checklist Data or functionality to be moved to the cloud is not business critical The provider audited by a third party to determine their compliance with GoK information security standards? Reviewed the vendor s business continuity and disaster recovery plan Maintain an up-to-date backup copy of data Data or business functionality will be replicated with a second vendor The network connection between me and the vendor s network is adequate The Service Level Agreement (SLA) guarantees adequate system availability Scheduled outages are acceptable both in duration and time of day Scheduled outages affect the guaranteed percentage of system availability Receive adequate compensation for a breach of the SLA or contract Redundancy mechanisms and offsite backups prevent data corruption or loss If a file or other data is accidentally deleted, the vendor can quickly restore it Increase use of the vendor s computing resources at short notice Easily move data to another vendor or in-house Easily move standardised application to another vendor or in-house My choice of cloud-sharing model aligns with my risk tolerance My data is not too sensitive to store or process in the cloud Meet the legislative obligations to protect and manage my data Know and accept the privacy laws of countries that have access to my data The vendor suitably sanitises storage media storing my data at its end of life The vendor securely monitors the computers that store or process my data Use my existing tools to monitor my use of the vendor s services Retain legal ownership of my data The vendor has a secure gateway environment The vendor s gateway is certified by an authoritative third party The vendor provides a suitable content filtering capability The vendor s security posture is supported by policies and processes 18

19 The vendor s security posture is supported by direct technical controls Audit the vendor s security or access reputable third-party audit reports The vendor supports the identity and access management system that I use Users access and store sensitive data only via trusted operating environments The vendor uses endorsed physical security products and devices The vendor s procurement process for software and hardware is trustworthy The vendor adequately separates me and my data from other customers Using the vendor s cloud does not weaken my network security posture Have the option of using computers that are dedicated to my exclusive use When I delete my data, the storage media is sanitised before being reused The vendor does not know the password or key used to decrypt my data The vendor performs appropriate personnel vetting and employment checks Actions performed by the vendor s employees are logged and reviewed Visitors to the vendor s data centres are positively identified and escorted Vendor data centres have cable management practices to identify tampering Vendor security considerations apply equally to the vendor s subcontractors The vendor is contactable and provides timely responses and support reviewed the vendor s security incident response plan The vendor s employees are trained to detect and handle security incidents The vendor will notify me of security incidents The vendor will assist me with security investigations and legal discovery Access audit logs and other evidence to perform a forensic investigation Receive adequate compensation for a security breach caused by the vendor Storage media storing sensitive data can be adequately sanitised 19

20 Appendix II Checklist for cloud service selection SaaS Compliance Yes No Comment Does the application require specialized technical knowledge or requires customization that a SaaS vendor cannot offer? Does the application require large bandwidth on a regular basis? Is the SaaS cheaper than on-premise application? Does the SaaS provider adhere to regulatory law in relation to privacy and public record- keeping requirements? Does the SaaS reports conform to MCA requirements? PaaS Is the project a collaborative software development project that involves multiple agencies? Do the programming languages and server side technologies offered by the provider match MCA needs? Is it less costly to run the applications in PaaS than in-premise IaaS Does the MCA have enough staff capacity to manage the IaaS? Does the provider meet the connectivity, storage and redundancy needs to ensure services availability? Is it cheaper to acquire IaaS or in-premise hosting? Does the provider meet the commonly used standards for access? Does the MCA have an exit strategy from the provider and to take their existing data out of the solution and move it to another one? Does the MCAs capable of taking full advantage of pay-per-use pricing of the data center for IaaS 20

21 APPENDIX III Checklist for selecting cloud deployment model Public Cloud Compliance Yes No Comment Has the MCA carried out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model. Pivate Cloud Has the MCA carried out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model? Community Cloud Does the MCA have other MCAs with similar security requirements and in need of processing and storing data of similar requirements? Hybrid Cloud Is there a justifiable business case for this model? 21

22 APPENDIX III Checklist for SLA Subject Requirement Yes No Comments General requirements The adoption of cloud services will require agencies to build new skills and capabilities into their workforce. In particular, agencies will require a high level of proficiency in procurement, contract negotiation and management, and supplier performance management to ensure value for money is realised. MCAs shall look to first adopt cloud services for those areas where the market has already achieved an acceptable level of maturity. Mature areas typically have begun to extend their focus from delivery pure functionality to additional attributes like security, availability, performance and interoperability. Liability MCAs shall ensure SLAs cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, change of terms at the discretion of the provider. 22

23 Information security MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes MCAs shall retain control over any data or information that is placed in a cloud service and ensure it is adequately protected from loss. MCAs shall carry out a risk assessment to determine the information security viability of migrating to a cloud. The checklist in Appendix 1 shall serve as a guide. MCAs shall ensure the provider is audited by a third party to determine their compliance with GoK information security standards. Privacy of any data stored on a cloud computing service must be maintained in accordance with statutory/regulatory obligations The chosen solution should not require significant firewall rule changes. For example, port 80 and port 443 should be sufficient for the solution to function (these ports are usually open already). MCAs shall ensure data is permanently deleted from a provider s storage media when migrating MCAs shall be aware of Kenya legislative and regulatory requirements when storing personal data (e.g. the Kenya Information Privacy laws and the Public laws). MCAs shall ensure the location of the data is consistent with local legislation All stored and transmitted data must be encrypted Disaster Recovery expectations must be defined (e.g. worse case recovery commitment 23

24 Inter operability and portability d. The following requirements should be carefully considered when identifying a suitable solution: active directory integration single sign on MCAs shall ensure that the cloud provider supports open standards that guarantee:- - Workload migration where a workload that executes in one cloud provider can be uploaded in another cloud provider - Data migration: Data that resides in one cloud provider can be moved to another cloud provider - User authentication: User who has established an identity with a cloud provider can use the same identity with another cloud provider. - Workload management: Custom tools developed for cloud workload management can be used to manage multiple cloud resources from different vendors. MCAs shall ensure that the cloud deployment model supports common standards on: v. application interfaces; vi. portability interfaces; vii. management interfaces; file formats; and operation conventions Availability MCAs shall ensure there is an SLA with the cloud provider for 99.99% during work days, 99.9% for nights/weekend Performance Cost Service level agreements shall ensure maximum service response times MCAs shall consider the total cost of ownership (TCO) of a cloud service, compared to that of an equivalent on-premise service. Sustainability For MCAs providing cloud services, the cost of deploying and maintaining cloud computing infrastructure is very huge and therefore there is need to be able to recover it back. MCAs shall select a chargeback model that adequately fits the consumers and Government needs i.e iv. Pay - as -you- grow v. Usage based pricing vi. Elasticity model 24

25 Privacy MCAs shall ensure the cloud providers adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them. Vendor lockin MCAs shall ensure that the cloud solution supports quick entry quick exit low cost solutions. MCAs shall have an exit strategy in case they intend to change providers MCAs shall not pursue a solution if: A solution providers want months of preparation to assess agency needs or conduct training the solution involves an extended lock-in period for the agency the solution involves substantial financial investment The cost of the solution should be such that if the solution fails to satisfy agency requirements, it is considered low risk to terminate the service or try another service. In addition, the costs should be simple and straight forward. A convoluted pricing model is uncommon for cloud services and should be carefully considered during evaluation. Integration MCAs shall ensure that migrating to cloud will meet any functional and data-integration requirements the organization has in place. 25

26 Appendix IV: Related Documents Code Number: ICTA : 2016 ICTA : 2016 ICTA : 2016 ICTA : 2016 ICTA : 2016 ICTA : 2016 ICTA.7.001:2016 Title Government Enterprise Architecture Infrastructure Standard (Networks, Cloud, End user Computing Device, Data Centre) Information Security Standard Electronic Records and Data Management Standard IT Governance Standard Systems and Application Standard ICT Human Capital and Work force Development Standard 26

27 ICT Authority Telposta Towers, 12th Floor, Kenyatta Ave P.O. Box Nairobi, Kenya t: /62 info@ict.go.ke or communications@ict.go.ke or standards@ict.go.ke Visit: Become a fan: Follow us on 27

28